Mt. Spokane Pediatrics Data Breach–What You Need to Know & What to Do Next
Overview
Mt. Spokane Pediatrics reported a cybersecurity incident that occurred in early January 2026, resulting in the theft of protected health information belonging to over 32,000 patients. The Washington state pediatric practice discovered the breach and confirmed the scope of compromised data through a forensic investigation completed in April 2026.
Mt. Spokane Pediatrics is a pediatric healthcare provider serving families in Washington state. According to the practice’s breach notice, the cyberattack occurred on or around January 1, 2026. The threat actor was found to have exfiltrated files containing patients’ protected health information.
The LockBit5 ransomware group publicly claimed responsibility for the attack, adding Mt. Spokane Pediatrics to its dark web data leak site on January 3, 2026, just days after the breach occurred. The ransomware group threatened to leak the stolen data within 20 days if ransom demands were not met.
The forensic investigation, completed on April 22, 2026, determined the full scope of the data breach. Mt. Spokane Pediatrics began notifying affected individuals following the completion of the investigation. LockBit has been one of the most prolific ransomware groups, though law enforcement disrupted its operations in 2024. The emergence of LockBit5 represents the group’s continued evolution despite previous takedown efforts.
What Information Was Exposed In the Mt. Spokane Pediatrics Data Breach?
According to Mt. Spokane Pediatrics’ breach notification, the exfiltrated files contained full names, dates of birth, Social Security numbers, diagnoses, treatment information, patient numbers, medical record numbers, health plan beneficiary numbers, and dates of service.
The exposure of this comprehensive medical and personal information creates significant risks for affected patients. Social Security numbers combined with medical information can be used for identity theft, medical fraud, and insurance fraud. The exposure of pediatric patient information is particularly concerning as children’s identities may be compromised for years before detection.
How Mt. Spokane Pediatrics Responded to the Breach?
Upon discovering the cyberattack, Mt. Spokane Pediatrics engaged forensic investigators to determine the nature and scope of the incident. The investigation concluded on April 22, 2026, confirming the types of data that had been exfiltrated.
The practice began notifying the 32,021 affected individuals and is offering complimentary single-bureau credit monitoring services as a precaution. Mt. Spokane Pediatrics stated in its breach notice that it is unaware of any actual or attempted fraud as a result of the data breach.
The practice is required under HIPAA to notify affected individuals, the U.S. Department of Health and Human Services, and potentially the media given the number of affected individuals exceeds 500. Washington state also has data breach notification laws requiring notification to affected residents.
How to Check If Your Personal Info Is Exposed
If you are a current or former patient of Mt. Spokane Pediatrics in Washington state, or if your child receives or received pediatric care at the practice, your personal and protected health information may have been exposed in this breach. The breach affects 32,021 individuals, and Mt. Spokane Pediatrics should be sending notification letters to those whose data was compromised.
Monitoring your accounts, reviewing credit reports and explanation of benefits statements, and watching for notification letters from Mt. Spokane Pediatrics are crucial steps in assessing your potential exposure.
What You Can Do If Your Information Was Exposed
If you receive a notification letter from Mt. Spokane Pediatrics, take advantage of the complimentary credit monitoring services being offered. Enroll promptly, as there may be a deadline to activate these services.
Review your financial accounts, credit reports, and medical explanation of benefits forms for any unfamiliar activity. Given that Social Security numbers were exposed, consider placing a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion).
For parents of affected children, be particularly vigilant in monitoring for signs of identity theft involving your child’s Social Security number. Children’s stolen identities are sometimes not discovered until years later when they apply for credit or employment.
Be vigilant for signs of medical identity theft, including unexpected medical bills, explanation of benefits statements for services not received, or insurance claims for treatments not provided. Be cautious of phishing attempts following this breach. Acting now can limit the long-term consequences and protect your family’s personal, financial, and medical information.
Understanding Your Legal Rights: Data Breach Lawyer Near Me
Victims of data breaches may be entitled to legal remedies if a healthcare provider did not adequately safeguard their protected health information. Pediatric practices have heightened duties under HIPAA to protect the sensitive medical and personal information of their young patients.
Almeida Law Group is actively reviewing the Mt. Spokane Pediatrics incident to determine what legal options may be available for those affected.
If you or your child is a patient of Mt. Spokane Pediatrics and believe your information may have been exposed in this breach, you can contact Almeida Law Group for a free consultation.
